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(57) The present nventionovercornes the (fisadtm- 
tagee and imitations of the related art by proMdmo an 
apparatus and method lor secure dfetrt)ulion of soft- 
ware, softwere u^xkiOB^ and oorfiguraion data. Cryp- 
tography is used to protect soflMare or data i9xlBta sent 
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dstrbubon channels. In the preferred errftxxfiment, the 
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ooraMis Vie osra, arvi vieaaB wa rKX oe aocepveo unress 
i is iwTKxSfied and originated wtth the valid source tor 
such data. 
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Description 

BACKGROUND OF T>« INVENmON 

5 1. Field of the Invention 

The present invention relates to an apparatus and method lor secure distrixjtion of data lUlore particularly, the 
present invention relates lo an apparatus and mettiod for secure distribution of software, software i^pdates. andcortfio- 
uration data. 

10 

2. Desoriplion of Related Art 

In today's business environmer^ data is one of the most >^uable resources required for maintaining a competitive 
edga As a result, businesses must often be able to maintain data confidentiatity, readly determine the authenticfty of 
IS data, and closely control access to data. As used frarein. the term "data* mear» a representation of factSp concepts or 
instructions in a formalized manner suitable tor communlcatioa interpretation, or processing by hunan or automatic 
means, including. txJt not limited to. software, software ipdates. and configuration data. 

Data systems commonly consist of many types and sizes of computer systems that are interoonnectad through 
many different electronic data networto. tt is now common for an organization to interoormect its data systems witfi 
20 GyGtems that t^elongtocustorners. vendors, and competitors. I.arge^ 

or they rnight provide ovitinual services. For purposes herein 'corrput^ 

functions ol a Turing Machine, inducfing a mkTocomputer, minioornputer. or mainframe conrputer. A lUing Macfwie is 
a well-kncmi conputer science concept and is explained in Encyclopedia of Conputer Science. Ed. Anthony R^ston. 
ISBN 0^8405-321-0, which is spedficaRy irKX)rporated herein by reference. "Memory* Includes a device or devices for 
2S storing data for usetiy a conputer. indudhg electronic, magnetic and electro-maTielic memory. 

A corrMialion ol elemerte rnust woric together to acfiloM a rnore seem 
an appraisal of the value of the data tfid polerilial threete to thai dMa pnjvi^ 

Securfty fonctions can be cateporized as follows: 

90 * M w iti r ic al ion and authentication, klenigies users to ttie system arcl provides proof ttwt they are who tf>ey claim to ^ 

* Access tuneoL Delermirae wMch usere can access which reaouroes. 

* Data oorMeritiaity. Protects an organization^ sernilive data from uri^^ 

55 

" Data integrity. Ensures that data is in itB original form and fiat it has not t>een altered. 

* Security management Administers, controls, and reviews a buEaness^ security policy. 
40 * Nonrepucialioa Assures that the rnessage was sertty the appropriate intfviduai. 

C>yptography includes a se<ol techniques for gcraiTfcfaig or dfequis^ 

«4io can restore tfie data to As orifipnef foniL to omnt avipi^ 

basis lor Ineping data confidBnial and for vvff^ 
46 lalion of Secure Systems, by CM K Meyer and Stephen M. Motyas. fSOH 0471-04862-6. John Wley & Sons; to& 

(19eg).isadBSsictepdontiedB6ignandinrpieiiientetoiolcnfp^ 

fierem t)y referencei 

For cornrner aa i business ippBcationB. the cryptographic process Im^ 

has been widely adopted. The Data Encryption Standaid (DES). as well as other documents, defines how to use the 
50 DEA to ericpher data. Federal IrriormetionProcessiTHi Standards Pubr^^ 

Meyer AMatyas text Many other processes for concealing data, such bb protection of passwords and personal i^ 

fication nurrbers (PNs). are based on the DES procesa The DES algorithm uses a key to 

processes the data. A DES key is a very srnal piece of data ^ bits) thai is nonrnatty reta^^ 

is usedtotrarisform the originel data Cplairte(9 torts disgiised. eric^ 
66 forra Because the DES algorfthm is cornrnonlTOwledge.oriern^ 

GtheoMse. sorneone who has the toy that one used to enck^her the date would to 

agement refers to the procedires that are used to keep Keys secret 

To ojnfimri the integrity ol data, one can use the DES algorithm to cornpute a message authe^ 

Used in this way the DES sdgorithm is a powerM tool; it is afrnost irrpossUe to meaningfuiy mocfify the data and stUI 
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have H produce the same MAC for a given key. The standarcfized approaches authenticate data such as f narKial trans- 
actions, passvMNXIs, and corrputer programs. 

After the MAC has t>een conrputed, It is serit with data To autheriti^^ 
to reoorrpute ttie MAC; the system then conrpares this resuft with the MAC thai «^ 
B of course, change bo«h the data and the MAC: therelbre^ the key that is used to con^^ 
iMtween the MACS orHpnator and the MACS authenticalor. 

An altemative approach to data integrity checking uses a standaid key value and multiple iterations of the DES 
algorithm to generate a modHication detection code (MDC). bn this approach to data integrity checking, the MDC nftjst 
be received from a triistedsouroa The person who wants to ajthentkate the data 
10 the result with the MDC that was sent with the data. 

Because the DES algorithm has been used for many years, its strength has been well demonstrated. Both software 
and specialized hardware can inplement the DES algorithm. A hardware solutkxi is often desirable for the folCMvfng 
reasons: 

75 * the algorithm requires nrany conrputer instructions to be processed 

* the keys must be protected so that they can remain secret 
^ performance can be inproved 

20 

If a data seonty threat oonries from an external source, a sofhfwe inrplemental^ 
be sulfkient; ivitortunataly. however, much traud originates with 

specialized cryptographk; hardware can be required to protect against both insider and outsider data security ttveats. 
WelKdesigned hardware can do the fDBowing: 

zs 

* ensure the security of cryptographic keys 

* ensire the integrity of the cryptographic prooeeses 

30 * irrvt the key-rnanagement activities to a wet^Mined and carefc^ 

The DES rigorihrn. which has been proven to be eflkiert arid strorig. is widely krK^ 
rermin secret Because the sarne key is used both to ericpfier the data arKJ to decpher the dbta, tte 
be symmetric: it uses a symmetric key. 
36 In another type of cryptographic process, an asymmetrfc process, one key is used to encipher the data, wfiie a 
cftterent bU oorresporiding key is used to decipher the data to its origirial fo^ 

iskriownasapubio4ceysysten^ The toy thatisusedtoericpfiertfiedataiswk^ but the oonesporving key 

tor decpherirtg the data is secret For exarrple. rnany pec^ 

tothatpefSon uj r r ri e fTt ia ly, ki Towing that only that person shoukt possess theses^ 
40 key cryptoyi^)Ncalgorithni s have been incorporated into processes tor simpByingtt^ 

for assuring data iritogrfty. including provfcSng nonrepudtatfon by using 

techniques are dncussed in nrure detaa the IMeyer a Maftyas text 
PUbic4«y irfgorihrns (eig.. RSA al0ori»m\ by R Hve^ 

use even rnore conputar lime tw tie DES afgorVvni 
46 situafonsnwhkiithechOTCtenBfcsofthept Mo lMyalOortm ^ 

to boti the DES ml RSA algorltvns. no praclkal ineens enste to idenlk^ 

togn^jhk: kBy; therefore, keeping a key secret at a cryptographc 

does not provktosufficienlprDtoctiori. I adversaries have access to the cryptographic piooees and to certain protected 
keys, they co(id possfoly rnisuse the keys and evenlualy corrf)romise the system A 
50 nriA« be to place to protect and dKtrt3utea>ptographic keys In a secure 

Access conM protects data by alowing only persorw or progranm with a legitimate need to access system 
resources, such as a fie; selected records or fieldB in a fle^ a hardware device, or the con^ 
Access control uses the foiowing servfoes: 

55 * ktentgication »id veriffcation. kterTt g icatfon is the abiity to use a unique name, label, or other reference to i^ 

each user or program to the systera Veriication is the abiity to provide prool Iturt users and programs are wtx> and 
¥vhat they claim to t>a (Verification is also Iviown as "authentication*.) 
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* Authorizatkxt Authorizatksn is the process wher^ 

data sets, programs, or transactions. (Authorization is also known as "access controT.) 

* Enforcement. Enforcement is a subsystem process of verifying the requester^ authorization. 

5 

In systems that consist of muH^e corrputers. it is increesingry necessary for persons or programs at one system 
to t>e able to convince persons or pro^^ams at anotfYer system that th ey are enM 
to this protiem involve the folkMring: 

10 * using local access controls 

* using cryptographic processing to ensure ttie authenticity of a process 

* ensuring that the authorization information is confidential 

IS 

Many computer prockjcts and peripherals now have their own iritelKgence, separate from the oonputer Itseff. in the form 
of intonated rncroprocessors. These fTvaoprocessors use stored prograrns to provM 

For example, the IBM 4755 Cryptographic Adapter is a devk» whk:h irK^jdes a nr^^ 
grarrwnng logic mounted on a printed drcuit boanH. Fmctions are housed within a tamper-reststant module, or secured 

20 area, for protection, such as that dtecussed more fuly in US. Pal No. 5.027,397. which is spedficaRy incorporated 
herein t)y reference. The IBM 4755 is a corrponent of the IBM Transaction Security System dtecussed in the ^ pub- 
lication entitled Transaction Seo^ System: General Information Manual and Planning Guide" (QA34-2 137-0), U.S. 
Pat Na 5.048,085. and U.a Pat. Na 5,148.481. which are specVically incorporated herem by referenca 

Typically, two lands Girnernory are associated with these rnkToproc permanent (unafter^e or nonvolatae) 

26 rnemory tor the program; and volatiernernory for data used tjyttieprograra Penmanent memory is typically Read (My 
Menwy (ROM), Piogramr¥iat]le Read Only Mernory (PROM), o^ 
\A)latle rnenrnry is lypicaly a sialic or dyriainic Ra^^ 
is removed. 

Newer techriologieG alow ttie designer to use mernorywfiich is memory 
30 in vMch the data can be changed, but tra oorterts are retained wtien the power is oflL Several technologiee can be 
used to obtain tieee characteriBtte. Rash EPROM (FEPROI^ pemrils areas of memory to be erased electronicaly 
and tien leptugi a inmed. Bectrlcaty Basabfe PROM (EEPROM) pennitB indhndual bytee or bits to be rewritten rnuch 
ike RAM memory. Complemenlary Metal-Qnde Semiconductor (CMOS) RAM with battery back-up uses little power 
and retains RAM content s w^wn system power is off. 
36 These riewerkirids of rneriiory can t)e used in two ways to nppiDve the 
Fvst if sorne or al ol the nrmoprocessor program is stored Iri nont^^ 
can be changed after tfw product is rranulactured. Thus, new features can be added and errors can be corrected. TIvs 
pro/erits product ot3Gole6cerioe arid protects the rnariulacturer from Ngh war^^ 

Second, data stored in tie memory can control ttie cortfiguratton of the product One such use is to selectively 
40 enable or (isabie product feeduealri this way, tfierneruiBCtjrer can prod^ 

of applications which need iiffereft features. Utors can be charged for an i4)grade to eriable riew IMuree. wt«^ 
be NgNy pmfitabie to the rnanufacturer since no new hardware has to t>e sh^ 

There are rnany drcwnstarK^ «4ich woiJd mal» it aKKantaoeouB to t>e at^ 
subCTt of the total poputBlionotdeitos. The reason may be 
46 the uridertyir^i hardware or flo i wc iw a mqrt>etpres>ict the 
the inarmrfacturer rn^f wer4 to apply tite i;|)grade orrfy to dev^ 

* a particiiar model number 

so * amaruifacturedatewHtwiaperticuiar rangeofdates 
a particUar version of soAmrare installed 

* a certain ranges of serial nurrters 

66 

a specific comb*natior« of features 

It is easy to see wtvy this kird of floci)ifity is NgNy desirable, ^ 
impediment to its use. however; security. 
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Both the manufacturer and u&er want to be sure they have control over programs that are loaded into the memory. 
The mviufckcturer may want to make sure only its pro-ams are used, to erasure the programs meet quality and per- 
lonnance starxiards. The manufacturer may also want to presreni anyone from learning how the software works, or what 
the data is that is k>eing sent to the user. Theuser.onthectierharid. wants to make si^e the prograrns in the deMces 
5 are valid, arid prei^ any that might melfuK:tk)a or whk^ 

wouU t)e a ^Trojan horse* program whkih wouM normally operate con^^ 
the user% security practioes, or to diviJge the user^ secret inlorinatkm. 

Typically, there wil be one source for all fieU ipgrades to code or cortiguratlon data, although other scenarios are 
possifctoi For tt>e purposes of discussion, Bssunie that the de^ manul^^ 
10 ifxiates:»id the device is a security adapter caid, with a secured area or nr^^ 
The problem can then be de8crft)ed with two fundanierital requirerrients: 

Fvst data sent to the user must be kept secret It must tMinrrpossislelbr anyone to dscover or modify the ooritents 
of the data. 

Second, the user must t>e aUe to verify that the data canrie from the valM source (e.g., the 
fs formof non-repud»tion. 

SUMMARY OF THE INVEMTION 

- ■ The preserrt inventk)noverconfies the disadvantages tUTdBniitatk^ 
20 method for secu^e cistribution of software, software updates, and configuration data Cryptography is used to protect 
software w data lipdates seni to con^puter prochKis a perpf)^^ Inthepre- 
ferred embodvnent, the contents of the data cannot t>e read by anyone who obtains the data, and ttw data wfl rv)t be 
accepted unless it is unnrndVied and originated with the vaid source 1^ 

An advantage of the inventkm is to provide an apparatus and method for secu-e distribution of software, software 
26 lydates, and configuration data. 

Another advaritage of the irwerition is to piDvide an apparatus arxl nrietf^ 
the configuration of a product so as to selectively eriable or dteaMe pnoduct leeti^ 

Vtot arKJiher acKantage of the invertfon is to provide an apparatus and nnelhod w^ierein data stored in memory 
coritrots tfie acceptance or rejection of proposed data for a product 
30 Tbetoregoingandotwradvertegesoflhepreserrtirikmionwllto 
handfcigtecfwioiDgyinviewoftt«aoconfyanying i>u wiii gu dBScr|i^ 

BRIEF DESCRIPTION OF THE DRAWINGS 

36 FIQ. 1 is a tslock diagram depictin g a computer system and associated cryptograpfiic system, wfierein an ertoge- 
nrient of an enrixxinrierit of the cryptograpNc system is t)rolm 01^ 

FIG.2 isab*ocfc<fagramof an tf ftxidhTi e n l oltwiri w it o dapparatusly secw software 
ijfxfcrtes, arvt oortfiguraicn daia employing pubic hey crypl^^ 

FIG. 3 is a ftowchart of an errixxinTOnt of tie irwented nnelhod lor secure dte^^ 
40 and configuralk>n data enploying pubic key cryplocFap^^ 

FIG. 4 is a block diagram of an embodknenl of tie irwertod aiY3aratu6 fw 
qpdates, wid configuralkvi data enr9)toying pubic key cryptograph 

FIQw 5 is a fkj w Om i l ot an ewib ud i n Bi^ of the irw e n to d i n eihod tor secure c i tfc i x^lon ct eolfciwfe; suflwaiu tydaies, 
and config^atfon date e ii y te^fin g pubic lay cr yp^^ 
46 FtaeisadepicttonofcriBriaHbrnvionlntBtoiiartormL 

DESCRFTON OF THE PREFERRED BMBODNhAENT 

Referring now to FIG. 1. a oorr^puler or cony u ter system 10 is shown which includes a cryptograpfvc system 12 
so comprising a nnicn]pnx;es8or 14, memory 16. and cryptograpfiic furKtions 18 mounted upon a dmoe or adapter card 
20. The nrvcroprocessor, memory, and cryptographic tonctions are housed wittiin a secured area or modiie 22. 

As shown in FIG 2. a pubic key KPU is instaled in the adapter card 20. Crypto g i qp fiic system 12 irviudes tie 
pubic key aigorfthm (e.a. F)SA). Tbe oorrespondbig private key KPR woM be held by, for example, tie adapter cavd 
niarmjfBCturer. in a seox^e^ seoet rrariner so it would rmer t>e dtedosed ouIsM 
66 erably. tie data is protected twofold: 

Frst, as shown in FIG. 2, data, ^ is ervTypted tiy a pubic toy cryptographic system 24 usirig the private KPF^ 
orasshownlnFiGL 4,dala isericryptedtyasynrwrietii c kBycryptuyaphi c syBtem25usirigtheBynTO KS. This 

provides the necessary seaecy, the data content carmol be detenmined by anyone intercepting the data, and any mod- 
ification to the encrypted data wil render it irralid. 
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Second, in FKBS. 2 and 4, a cfigital signature on the data is oonputod and sent to the adapter caid users using a 
digital siTwtire generator 26. This signature 
can l>e a componert of cryptographk: function 18 or a separate 

18 indude t)o<h a pubiic toy cryptographic system ISa and a symmetric cr>ptographic system 18tx A verified d^irtal 
sagrtati^e proves that the data has not t>een aftered since its creatioa and pro^ 
the manufacturer. 

Two emtxxJiments of the invention are de&crt>ed betow. 
l»gingpnlypi<?KckgycryptWW^ 

The first lour steps in FIG 3. are performed Ijy the manufacturer, who serxfs the resiMng data to the users. The 
remairwig steps are performed tiy tfie user to load the data into the adapter caid. 

The manufacti^ ftfst genermes the data to be loaded into the adapter cards i 
D. The manufacturer already possesses private key KPa and the corresponding pub^ 
ca/d manufactured The luy KPU rnay t»e enrt>edded in the adapter card, or 

other medium if it is protected against substitution (e.g., by a certification process). It does not need 1o be tapt seaet 
in order to maintain integrity of tfie loaded data. 

In step 1 10. the nrnriufacturer computes a di^ signature 
d^ytal signature is optional. Its use enhances the abiity to pnavetfiesoigcec^ 
successfuMy without a signatura The (SflFtal signature function is repre 

before the data is accepted by the adapter card, assuring it came from the manufacturer in this exanpla 

In step 120. the data D is encrypted using the private ley algorithm wft^ 
disclOGure or rnodification prior to its installation in the adapter card. Tte 
algoritfvn. such as the RSA algorithm. 

The manufacturer, in step 130. sends the encrypted data pke(D) and the digital signal 
through any convenient channel; cfskettes. electronic mail, or any other mediim is suffidenL The user receives this 
irtforrnetioa and loads tfie data and sigrwlure into the secued area ^ 

In step 150, the adapter decrypts the data using the pubic key KPU recovering 
stop 160. the digital signature is verified using the same toy. If the 8^ 
have been created by the rnanufacturer, who holds tie priiffifte Ivy IO>a 
wMty has been deternrined. the data is appied to the noTM^^ 
tf)e ■ifmiiulion is dfecarded, step 170. 

Only the private l«^ KPR needs to be l«pt seoret The piA* te^ 
there is no security eo^wsure « Its vakie is dhfulged. The native of the pub^ 
toy cannot be detenrnined from the public loy. and that wlid data cOTWt be ge^ 
alona 

lIsinaDiAliclwandsvnfynetrictoycr vDtogmph^ 

Altemalively. the data can be encrypted using a symmetric toy cryplogn^shic algoritfvn (ag.. DES) instead of the 
pii]ic toy algorithm used abcwa With avrertf technology, q^mmetric toy algorftrvns are germiy tester to con^iute 
than pubic toy algori»vnB» so this metfiod is presentty preMsIa A rand^ 
each time new dote is produced. 

M shcM n step 200 ol Fia 5^ nrntetew generates the dMa 
te tie step 210. a random synmirk algoriVvn l«y des^^^ 
rnani4nctw iinst sent i to tiem m a secure nnanner. to step 220. KS is encry^ 
thepriMtetoyKPR. 

to step 230. manufactorer conpules a cigW signotm over the 
using the syrnnietoc toy algorilhm with toy »<S. The encrypted KS. tt^ 
dsig(D) are al sent to the user in step 250. 

In step 260. the date is received at the user site where adapter cards are instaied. The date is loaded into the 
secued area of the card, which contains tie public toy KPUIri step 270. KPU is used to decrypt toe synvnetric toy KS 
using the public toy algoritm to step 280. tie recovered KS is used to decrypt the data ustog toe synvnetric toy 
algoritfm 

In step 290. toe cfgttal signature is veriKed using KPU in order to verify toe 
it means toat both toe date D and toe toy KS were vaid; in this casa tie date is loaded Ir^ 
the adapter card and enabled for u&a step 310. Otoerwisa tie date is dscarded 
calculationB are prafersbfy performed inside toe secured area, so tiere is no threat of 
is recovered and verified. 
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Wrth either method deeat>6d abo^ other checking codes could be used as an after native to the (figita) signature. 
An MDC. cydic redundancy check (CRC). or any other valid checking code coM be cak:utated ever the data and 
^yended to the date befaert is erKrypled. Once the data has been decrypts 
this value could be vertied against the recot^ed date. H it verii^ 
5 the private key KPR. 

Use of information in the date as d ecision criteria 

Once the date has been k)oded into the adapter cant the decision of whether to pe^ 
la can be made a furction of informalion and/or Instructions contained within the date itself. 

InoneerWbocfment, software contained in the device is used to cornpare "criteria information* in the date with l>a8k; 
information' already contained in the device. Exanrples of such t)asic 

* serfalnumber 

15 

* modeloodes 

* date of manubcture 

20 * verBk)nof software curently installed 

* codes descrisinginstaHed or avaiablefeetueG 

The basic inlbrmatxxi in the device is stored in memory (inducing luntAware registers, permarient software, or resUent 
26 foadable software). The aitaria inforrnatfon is prelBrabfy induM 

Fia 6. The data, and therefore the criteria intormatfon. is seojvely (fistrl3uted in the manner de&ort>ed in the prevkxs 

sections herein. Control soflMare wrtfiin the device eoamineB this table and corrpares it to the appropr ia te base intor- 

rnatfon in Older to dedde whether to apply tie dote. 

The pseudocode in Thbiel is weogynpie of how the oiterteinlo^ Each 
90 item in the tribtewotid be aynparedwih the appropria te basic irto 
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comparisons wwid be used to detenrtr^ 

TABLE 1 



Load^Perraitted = FALSE; 
If SNMln <= SN <= SN_Nax then Do; 
If DT_Min <= DT <= DT_Max then Do; 
If Mln^HW_Lvl <= HW_Lvl <= Max_HW_Lvl then Do; 
If Min_SW_Lvl <= SW Lvl <= Max_SW_Lvl then Do; 
Get Feature_Vector; 
~ -^^T^^AT^^^ures-RequriM Dq. 
"If no~Features_Prohlbited features are present then 

If Model_List is empty then Load_Penn±tted = TRUE; 
Else do While Model_Llst not empty; 
Get Test_Model from head of Model_Llst; 
If Te8t_Model = model of this device 
then Load_Permitted = TRUE; 
If Load_Permitted = TRUE then load data to memory; 
Else Abort loading process 



SN_Min and SN^Nax are the lowest and highest serial 
numbers the device can have for the data to be 
valid. In the pseudocode in Table 1, the serial 
number for a specific device is designated SH. 
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* DT Min and DT_Max are the earliest and latest dates 
the device can have for the data to be valid, e.g., 
the manufacturing date, the microcode creation date, 
or some other date code. Several different dates 
could be compared if desired. In the pseudocode in 
Table 1, the date code for- a specif ic device is — 
designated DT. 

* Min_HW_LeveI and Max_HW_Level are the lowest and 
highest hardware levels the device can have for the 
data to be valid. This represents the version of 
hardware in the device. HW_Level is used in the 
pseudocode" tb~represent a "particular" device • s 
hardware level. 

* Min_SW_Level and Max_SW_Level are the lowest and 

25 highest software levels the device can have for the 

data to be valid. This represents the version of 
software in the device prior to application of the 
data. SW^Level is used in the pseudocode to 

* represent the particular device's software level. 

* Features_Required and Feature8_Prohibited are 
^ vectors of boolean values. They represent the 

features the device must have for the data to be 
valid, and the features the device must not have for 
the data to be valid. In the pseudocode, 
40 Feature^Vector represents a vector of boolean values 

representing the features present in a specific 
device. 

Model^List is a list of product Models which are 
valid targets for the data. An empty list can be 
used to indicate that the data is valid for all 
models. Otherwise, the device looks for its own 
model code in the list; if it is not present, the 
data will not be applied. 



Inanaftemativewitoodwnefiloneinfplemei^Hto 
Hself contaiTK epeciat sofhware fchedd^ 

and therefore the checking Goftvvare. is secitf efy cfistrixited in the manner deGcri>ed in the pronous sections herein. 
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This checking software is not a pari of the operational software used in the everyday application of the dance. The 

additional checking ecftware may k)e optional; if present, rt is called by 

and it deter mines whether the data should t)e applied. The sanrte checking sol^^ 

irnlnictions to prepare the deoce for the new softmre or data contained in the data. 



TABLE 2 



If checking software present in the data then Do; 
Load checking software; 
Verify checking software is valid; 
Abort if invalid; 
Execute checking software; 
If result = "ok to load data" then Do; 

Get data; 

If data is valid 

Then load data to memory; 
Else abort 



This enntodimert is nmefteadble than the first eot)^^ 
the Mtial dn^ deeignei^ FimcionB can be added wlh any data if)^^ 

In operolioa tris efTtofinnenl can conMned imM 
permancnay stored in the dewcoLW^ adti li u ii M i l^^ 

The fc»v;tion performed t)y the checking soAMara is co^^ MslUictkyis 
would typksNy be similar to those descrtoed for the first embodiment but could include mxy checMng or irvtialization 
deemed necessary t)y the designer. 

A similBr approach can be used to proiMe optional solNwe that 
loaded. This could perform initalization necessary to prepare the i^xtated device for usa 

Of course, many mocffications and adaplaions tothe present livenli^ 
ing from the spirt of this inwentiorL Rrther some features off tfie 
use ol other feeturea Accordingly, this deso^plion should be Gorisi^^ 
present kwotMon and not n fmrtation tfiereof. 

FtfllieniMecfcctobed is: 

1 . A rnetnd of sacure*|f corAoMng tie ooriiguraion off a oon^^ 
cor»wiiei<ly erwMnff or dfenfftof, said metfwd jrdudfcig the rteps of: 
providfrig rnerrnry «rfiich is locaM wi^ 

BMBCuling a program which requires specffic information to t>e stored in the memory to permit the use of spedffic 

features of ttte system; and 

updating the specific nfonration wHh de^ 

2. The controling metfvd of item 1 indudtoig tfie adcMonal steps of: 

ericryping the data at the o4her a)mputer system under a first key of a pubic Key en^ 
decrypting tie data within the Gecured area w*h a second key of the ptt*c key encryption systent 

3. The oontroing method of daim 22 irKludmg the addftional steps of: 
ger>eratirig a symnietric key for use witi a syrnmelric cryptograi^ 
erKTypling tie data ixider tie ger>erated symmetric key: 
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encrypting the generated eymmetric key under a first key cf a pubic key encryption system; 

transfemng the encrypted data and the encrypted syinmetric key to a processing system wNch is k)cated within 

the secured area; 

decrypting the received symrnetrk; key wftNn the secured area with a second k^ 
decrypting the recmed data within the secured area under the decrypted sy^ 
raphy algorithm: and 

storing the decrypted data in said memory. 

4. The toacfing method of item 3 wtwrein 

the first key is a private key used with said publk; key encryption system. 

5. The k>ading method of item 3 or 4 wherein 

the second key is a putifc key used with sakJ putste key encryption system 

6. The oontroning metfrad of one of items 1 to 5 wherein 
ttie executed pragram is IrickKled in the data origiriat^ 

7. The controling rnethod of one of ftenis 1 to 6 wherein said specific irtfornnat^ 
fc)ltowing: 

serial nurrber of the computer system: 

model number of the oonputer system: 

date of manufacture of the compu t er system; 

verskxi of software o^rently installed in the oonputer system; and 

codes descrtxng instaled or avaidble features. 

8. The controHing metfiod of or>e of items 1 to 7 \ii4Mrein 

the ftatures of the system are related to software i^xlatee inckjded in the data origin 
system 

9. A method of securely coiiirottrig the ernbleniem of da^ 
said method inducing the steps of: 
pfovidngir<Dim a ionwihin«akfmemonri *» i w»« > t* ^ 
piDvidngcrteriainiormaionwihinsaiddhtetobecoffyar 
oonrpering sM criterte iriiormaAion witi said ai least OTO 

en^blng said data to be used within saki device 9 saki at least one cfwacteristk; meets saki criteria intormatton. 

10. The oontroling method of item 9» wlierein 

at least sorvie porlton of saki oorrperihg step is perfermed in aoxxdarice with in 

11. The coi<iol i ng method of itemS or 10, t^wrein 
saidchMacteristfeiiiDiiTMioncorfespofidtetoatieactorwofth^ 
serial nunnber of tie dMk»; 

model nunter of tie deMoe; 

dote off manufacim ol the davioa; 

¥efsion off sottMBre GUTOi#y Maied hithe date; and 

codes descvftwig rataled omwUble teottfeft. 

Claims 

1. A method of trarttfemng data irto a secured area, said method irvAxfn^ 
encrypting (120) saki dala under a first key of a pubic key erKjyptkjn system (24): 
translBrTing (130) saki erKrypted ctala to a processing system whkiY is kxafted 

decrypting (150) said received data wihin saki seared area with saki pubic key encryptfon system (24) under a 
seoorvi key: and 

storing saki decrypted data within saki secured area. 

2. The method of claim l.wfierein 

saki transferring data into a secured area is a k)acing data into at least some portkm of memory wfik:h is kxarted 
within saki secured area, and 
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said secured area is protected from physical and (fired electrical access, thereby guarding against undesired detec- 
tion of said translerreded data. 

3. A method of loadmg data into at least some portion of memory which is located vnthin a secured area wtiich is 
protected from physical and direct electrical access, thereby guarding against undesired detection of said loaded 
data, said method including the steps of : 

generating (210) a symmetric key (Ks) tEX use with a syrrwnetric crypto^aphy algorithm: 
erv:rypting (240) said data under said generated symmetric key (l^); 

encrypting (220) said generated syrrvnetric key (l4) under a first key of a public key (Kpu) encryption system; 
trvisferring (250) said encrypted data and said erxTypted symmetric key (Ks) to a processing system which is 
kx»ted within said secured area: 

decrypting (27D)~said received symmetric key (K^) witfiin said secured area with a second key of said pubfic key 

(Kpu) encryption system: 

decrypting (280) said received data wittiin said secured area with said decrypted symmetric ksy (Kg) with a sym- 
metric cryptograpfiy algorithm; and 

storing said decrypted data into saU at least some portion of memory. 

4. The method of one of daimsl to 3. wherein 

said first key is a private key (Kpn) used with said pubfic key (Kpu) encryption systenrt 

& The method off one of daimsl to 4. wherein 

said second key is a public ley (Kpu) used with said pubic key (Kpu) encryption system. 

6. The method of one of daimsl to 5. wherein 

said put3fic key (Kpu) is stored within said secured area. 

7. Themethod of one of dainrK ItoBtorther inducing tie step of: 
addgigaaxtetosaidericrypteddatew^ik:histot»trar«lBrredlDr 
ticafting said encrypted data. 

a The method of claim 7 wherein 

said code is selected from said group consiEting of a d^iFtal siQ^^ 
cycfic redundancy check (CBC). 

9. The method of daim 7 or 8 ftvtfier including the step oh 
authenticating said decrypted data: and 

endbfing said decrypted dote to be used if said decrypted data is authentic: ot^^ 
data. 

ia A system for securely holding data, said system comprising: 

rnemory rnem k>caled withn a secured ma wMch is protected from physka^ 
rnem for providing a pubfic key (KnJ witNn saU secured area; 
rnem wihn said secured area fbr receiving dMa encrypted by a Gorrespon 
mem wMn sM sacurad area te dacryping (ISO) said received dBta 

11. The system of daim 10 «4wrein 

said decrypted clata prvwides a synrvnelic key (Ks)- 

12. Thesystemof daim 11 inckxfing: 

means vMtfiin said secured area for receiving data erKTypted by a symmetric algorithm urxler said symnrwrtric key 

(Ks): 

nwans for decrypting (280) said dtala under said synvnelrk: key (Kq^ 
key (Kpu): and 

nnearv for storing said syrnmelric key decrypted data in said rr>enriory 

13. Thesystemof one of claims 10 to 12 further indudng 

meer« for artalyzing a code received by said system to authenticate said data received. 
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14. Thesystemofdaim 13, wherein 

said code Is selected from said group conststing of a distal signatue, a modification detection code (MDC), and a 
cyclic redundancy check (CRC). 

5 IS. A method of securely corrtroling the corfigivalion of a connputer system (10) so that features of said system miqr 
be comenientty erubled or disatM. said method indudvig the steps ct 

providng memory which is located within a seared area which is protected from physical and cSrect electrical 
access; 

executing a program which requires spec^ic infor ma tion to be stored in said memory to permit ttie use d specific 
10 features of said system; and 

lifxIatkH) said specific information with data decrypted from encrypted data originating from another oonrputor sys- 
tem. 

16. A mettiod of securely coritroflirig the enablement of data loaded in menriorywiM 
IS method irKAxing the steps of: 

provicfing information within said memory representing at least one characteristic related to said dodoe; 
providing criteria i n for ma tion within said data to t>e compared with said at least one characteristic; 
conrparing said criteria infonmation with said at least one characteristic; and 

enabing said data to t>e used within said device if said at least one characteristic meets said criteria information. 
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FIG. 1 
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FIG. 3 
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FIG. 5 
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